Stocking the Shelves of Your Control Library
By Jason Rohlf
If I think back to my school years (between preschool and my “victory half-lap” ninth semester of college, there were 19.5 of them), there was one constant. It wasn’t recess or any particular subject or the bologna-and-cheese sandwiches in my trusty lunch bag. It was the library. Books, books and more books, each one filled with knowledge and intrigue, organized on shelves in buildings of all shapes and sizes in a way that made chasing down the information I needed relatively painless.
One person we have to thank for having a system to organize the knowledge we’ve collectively accumulated over the years is Melvil Dewey, a founding member of the American Library Association and the creator and publisher of the famed Dewey Decimal System back in 1876. This system divides subjects into ten primary classes of information, with each class subdivided into divisions and sections. Over the years, the system has been reviewed, revamped, revised and amended to account for multiple languages and new subject areas, but the foundational elements have remained largely the same.
I’m always fascinated and impressed by systems and structures that survive the test of time. It feels good to have a structured method that makes sense of what may seem like chaotic and unpredictable information. One area where our clients consistently need this kind of structure and predictability is the documentation and management of their library of internal controls. In my last post on this topic, I revisited how my own understanding of controls was formed, and that I found the more I learned, the more intricate and overwhelming things could become.
In this post I’d like to focus on a more foundational element of an overarching controls and compliance program: The establishment of a control library. Much like Dewey’s decimal system, internal controls represent a system of knowledge points that people can use to find the guidance they need. I’ve spoken with numerous clients and prospects and reviewed too many control catalogs to count, and this has given me the opportunity to create my own basic system for building out an effective, sustainable control library.
Capture the Fundamental Details First
In Dewey’s system, the first determination is what class the book falls within. Is it a book about language or language arts (400) or does it focus on history (900)? The details will follow, but focusing on capturing the fundamental information at the outset of control creation sets you up for better knowledge and insight about your controls.
The first common fundamental element that you should define for your controls (or any data element you are ever capturing for that matter) is some sort of unique identifier—a piece of data that will clearly set a control apart from its peers. This is critical as you get into defining and understanding relationships between controls and other data elements as well as understanding exactly where potential issues may exist. It doesn’t matter if you use a unique numbering system like Dewey’s, a combination of control title and supported organizational unit or business process, or simply a randomly assigned number; just use something unique.
From there, the other foundational elements I’ve seen captured most often are:
- A title and description of the control
- Recommended testing procedures
- The fundamental purpose of the control (i.e. regulatory compliance, financial reporting and/or efficiency)
- A risk or criticality rating for the control (for prioritization purposes)
- The nature and frequency of the control (i.e. this is a preventive manual control that’s performed monthly)
- And the primary owner of the control (which is of particular importance as it establishes a sense of accountability for the control’s overall performance and effectiveness)
This list isn’t exhaustive but certainly provides a solid foundation.
Establish Key Relationships to Organization Data
In the Dewey Decimal System, once you have determined the class to which a book belongs, you now can start capturing the detailed information that will help knowledge seekers track down the specific items they are researching. The same can be done for your system of internal controls. When you have defined the basics, the next step would be to define references to the elements of your organization that rely upon and/or are impacted by the control’s overall performance. The nature and extent of these relationships will depend on many factors, the most important being the control’s overall purpose for existing.
For example, if I have implemented a control that enforces password parameters and controls in a key financial system, I may be required to rely on that control to:
- Achieve compliance with a particular regulation (i.e. HIPAA or GDPR)
- Help mitigate the risk of unauthorized access to sensitive, non-public information
- Support the organization’s SOX section 404 reporting requirements
Given these requirements, it would stand to reason that I would want to capture certain key bits of information about my control, including:
- The specific element of HIPAA or GDPR that I am looking to achieve compliance with
- The risk of unauthorized access to sensitive information I’ve identified in my risk register
- A flag that indicates that this control is part of my SOX testing program and should be considered in any evaluations or sign offs
I might have a simple field within the control record that I use to flag the control as a particular type of control, or I may establish a reference to another app where I store my regulatory and risk data. But the essential piece is always making sure that these relationships are well defined and understood.
Track, Evaluate, Monitor
While documenting and categorizing your controls is a fine and necessary first step, you won’t gain much insight into your overall performance unless you have a method for constantly testing, validating, checking or otherwise monitoring them. This is key for understanding the implication that a control’s performance has on the other elements of the organization that rely on the control.
The most common approach that our clients take is establishing a test program targeting their system of controls. Whether performed by the control owners, an independent compliance team or an internal audit shop, evaluating the design and operating effectiveness of your controls on a regular basis equates to monitoring the vital signs of your organization’s ability to achieve its stated objectives.
This is not to say that every control is always tested or tested with the same frequency as every other control. Gathering the key data elements described above can help you prioritize your evaluation activities and make sure you are focusing on the most essential activities in your evaluations. In addition, there may be other activities or actions you want to capture and monitor that fall outside the realm of testing. Whether you want to have your control owners provide evidence that their controls were executed or simply have them validate on a periodic basis that the control is still in place, having a scheduled and standardized approach to managing the state of your controls is essential to obtaining maximum value from your efforts.
Tying It All Together
Based on what our clients have experienced, we can certainly conclude that an organization stands to benefit from building a standardized control library. Even the simplest data points you capture can become part of a very compelling story about how well (or poorly) your organization is meeting its objectives. And organizing this library in a systematic and structured way allows you to keep that critical knowledge at your fingertips and answer compelling questions at a moment’s notice.